cancel
Showing results for 
Search instead for 
Did you mean: 

MX policy based routing based on application - possible?

SOLVED
Here to help

MX policy based routing based on application - possible?

We have 2 internet uplinks on WAN 1 and WAN2.

 

On the dashboard the only option for PBR is based on source/dest ip and ports.

 

Does MX support PBR based on applications?

 

I do find application routing in VPN SD-WAN policy but not on internet traffic.

 

 

We have customer requesting this feature for SaaS traffic, for example: O365 app use WAN 1 and Webex app use WAN1 on a single site dual internet scenario.

1 ACCEPTED SOLUTION

Accepted Solutions
Getting noticed

Re: MX policy based routing based on application - possible?

While you can't specify traffic by application name you *could* do it on an IP address basis:

https://help.webex.com/en-us/WBX264/How-Do-I-Allow-Webex-Meetings-Traffic-on-My-Network#targetText=1...)

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

But this results in a very static configuration and if SaaS providers change or add IP address ranges you have to update this list.

Anyway I wanted to answer it because in my experience such IP addresses (or ranges) don't really change that much.

Microsoft even has a service where you could query their O365 ranges by API, but I haven't found a way yet to update this configuration option in Dashboard API Smiley Wink
4 REPLIES 4
Kind of a big deal

Re: MX policy based routing based on application - possible?

Nope, this is not available for Internet traffic. As you said, it's src/dst ports/IPs only.

Getting noticed

Re: MX policy based routing based on application - possible?

While you can't specify traffic by application name you *could* do it on an IP address basis:

https://help.webex.com/en-us/WBX264/How-Do-I-Allow-Webex-Meetings-Traffic-on-My-Network#targetText=1...)

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

But this results in a very static configuration and if SaaS providers change or add IP address ranges you have to update this list.

Anyway I wanted to answer it because in my experience such IP addresses (or ranges) don't really change that much.

Microsoft even has a service where you could query their O365 ranges by API, but I haven't found a way yet to update this configuration option in Dashboard API Smiley Wink
Getting noticed

Re: MX policy based routing based on application - possible?

I was trying to do the same thing with the entire subnets for O365 w/o success. It's just too much.

 

https://help.webex.com/en-us/WBX264/How-Do-I-Allow-Webex-Meetings-Traffic-on-My-Network

 

Maybe Webex is not that bad..

 

  • 64.68.96.0/19 (CIDR) or 64.68.96.0 - 64.68.127.255 (net range)
  • 66.114.160.0/20 (CIDR) or 66.114.160.0 - 66.114.175.255 (net range)
  • 66.163.32.0/19 (CIDR) or 66.163.32.0 - 66.163.63.255 (net range)
  • 170.133.128.0/18 (CIDR) or 170.133.128.0 - 170.133.191.255 (net range)
  • 173.39.224.0/19 (CIDR) or 173.39.224.0 - 173.39.255.255 (net range)
  • 173.243.0.0/20 (CIDR) or 173.243.0.0 - 173.243.15.255 (net range)
  • 207.182.160.0/19 (CIDR) or 207.182.160.0 - 207.182.191.255 (net range)
  • 209.197.192.0/19 (CIDR) or 209.197.192.0 - 209.197.223.255 (net range)
  • 216.151.128.0/19 (CIDR) or 216.151.128.0 - 216.151.159.255 (net range)
  • 114.29.192.0/19 (CIDR) or 114.29.192.0 - 114.29.223.255 (net range)
  • 210.4.192.0/20 (CIDR) or 210.4.192.0 - 210.4.207.255 (net range)
  • 69.26.176.0/20 (CIDR) or 69.26.176.0 - 69.26.191.255 (net range)
  • 62.109.192.0/18 (CIDR) or 62.109.192.0 - 62.109.255.255 (net range)
  • 69.26.160.0/20 (CIDR) or 69.26.160.0 - 69.26.175.255 (net range)
Here to help

Re: MX policy based routing based on application - possible?

Thanks guys. I had a similar request before on the "not app aware" checkpoint firewall that requires rules to control O365 traffic. Did not work it out.

 

I wonder why Meraki is able to offer this feature in vpn traffic but not on internet traffic.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.